Robust polarization-based quantum key distribution over collective-noise channel 
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We present two polarization-based protocols for quantum key distribution. The protocols encode 
key bits in noiseless subspaces or subsystems, and so can function over a quantum channel subjected 
to an arbitrary degree of collective noise, as occurs, for instance, due to rotation of polarizations 
in an optical fiber. These protocols can be implemented using only entangled photon-pair sources, 
single-photon rotations, and single-photon detectors. Thus, our proposals offer practical and realistic 
alternatives to existing schemes for quantum key distribution over optical fibers without resorting to 
interferometry or two-way quantum communication, thereby circumventing, respectively, the need 
for high precision timing and the threat of Trojan horse attacks. 

PACS numbers: 03.67.Pp 03.67.Dd 42.65.Lm 



Quantum key distribution (QKD), such as the BB84 
protocol proposed by Bennett and Brassard in 1984, al- 
lows two parties (Alice and Bob) to generate an arbitrar- 
ily long random secret key provided that they initially 
share a short secret key and that they have access to a 
quantum channel Q. As opposed to classical key dis- 
tribution, the secrecy of the generated key does not rely 
on computational assumptions but simply on the laws of 
physics: as long as quantum mechanics holds, the infor- 
mation available to an eavesdropper (Eve) can be made 
arbitrarily small. 

Photons are obvious candidates for mediators of quan- 
tum information since they are fast, cheap, and interact 
weakly with the environment. Both free air and optical 
fiber based QKD have been realized experimentally; see 
and |j| for reviews. Any experimental implementa- 
tion of QKD naturally has to deal with the issue of noise 
in the quantum channel, which substantially complicates 
the security of QKD, as Eve may attempt to disguise her 
eavesdropping as noise from another source. Standard 
security proofs deal with channel noise, including photon 
loss, and show that Eve acquires essentially no informa- 
tion provided the noise rate is not too high. Higher noise 
rates mandate lower key generation rates, and once it 
becomes too large, secure key generation is impossible. 

Building a viable quantum cryptographic system there- 
fore depends on ensuring that the noise rate is low. The 
degree of freedom used to encode the information can be 
the polarization of the photon, its phase, or some com- 
bination of both. Purelyphase-based schemes have been 
realized experimentally [4| but require complex interfero- 
metric setups, high precision timing, and stable low tem- 
peratures. Interferometry becomes even more challeng- 
ing with multi-photon states because of the difficulty of 
keeping phase coherence between the photons. A scheme 
which escapes some of these limitations using a clever 
encoding of key bits was proposed recently p| . 

Polarization-based schemes also come with a disadvan- 
tage as optical fibers rotate polarizations of transmit- 
ted photons, and the degree of rotation fluctuates over 
time. If left untreated, this would result in an unac- 



ceptably high error rate. A number of proposals have 
been made to handle this source of errors; we present 
a new solution which is in some ways superior. Singlet 
states |*-) = 4j(|01) - |10>), where {|0),|1)} is any 
basis of the qubit Hilbert space, have the property that 
they are unchanged under equal rotations on both qubits; 
this is the defining property of a noiseless subspace. (If 
one's qubits are the polarization degrees of freedom of 
single photons, as we assume here, then |0) and |1) can 
be taken to denote, for instance, the vertical and hor- 
izontal polarization states.) We present two protocols 
that take advantage of this property to encode key bits 
in four- or three-photon states. These states should be 
experimentally realizable, and form simple examples of a 
noiseless subspace or subsystem, respectively (also called 
a decoherence-free subspace and subsystem) |a, H El ■ 

Free-space QKD is largely immune to the problem of 
polarization rotation: the coupling between the photons 
and the molecules in the atmosphere can be absorbed in 
a dielectric constant to very good approximation. The 
same unfortunately cannot be said about optical fiber. 
Rather, the dielectric constant acquires a spatial and 
temporal dependence, yielding an overall time dependent 
unitary transformation of the polarization state of a sin- 
gle photon, U (t), as the net effect of the fiber. This varies 
on the time-scale of thermal and mechanical fluctuations 
of the fiber, the shortest of which we will refer to as Tfi uc . 
If the time delay between the photons is small compared 
to Tfi uc , the effect of this noise on the state of N photons 
is well approximated by 



PN ^[U(t)f N p N [U(t)T N , 



(1) 



where t now denotes the time of transmission. This is 
known as the unitary collective noise model |(|. 

There are several ways to deal with collective noise. 
The most obvious way is to continuously estimate the 
transformation U (t) and systematically compensate for 
it. However, this requires an interruption of the trans- 
mission and, if the fluctuations become too rapid, the 
communication channel becomes useless. A second pos- 
sibility — a phase-polarization hybrid which has been 
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used successfully to realize QKD over 67km |9j] — uses 
the Faraday orthoconjugation effect to autocompen- 
satc the effect of U(t). Roughly speaking, if the transfor- 
mation on the photon during its transmission from Bob 
to Alice is described by U(t), it can be C/(i) — 1 when the 
photon is transmitted back from Alice to Bob, yielding 
no net transformation overall. The quantum informa- 
tion can be encoded by an extra phase transformation 
performed by Alice before returning the photon to Bob. 
Obviously, this technique only works if U(t) is roughly 
constant throughout the transmission of the photon; this 
sets an upper limit of CTfi uc to the distance over which 
QKD can be implemented with this scheme. 1 

Although such two-way quantum communication can 
eliminate collective noise, it allows for new attacks not 
possible against BB84. Since Alice receives and emits 
signals, it is possible for Eve to probe her laboratory — 
a technique known as the Trojan horse attack. There 
are many ways in which she can do this. She could add 
a weak signal to the channel at a slightly different fre- 
quency and recover some information about Alice's phase 
transformation by subsequently filtering the output sig- 
nal. Eve could also try to entangle an ancilla system 
with the signal before it enters Alice's lab and perform 
a joint measurement on the two after Alice has retrans- 
mitted the signal. She could also intercept the signal and 
send a different signal to Alice, and thereafter measure 
the output to estimate the applied phase transformation, 
etc. Technical solutions for some of these attacks have 
been proposed. However, Eve has an enormous variety of 
attacks available, and to prove true information-theoretic 
security, one must assume that Eve has arbitrary techno- 
logical power; for instance, she can outperform the best 
frequency filtering available to Alice and Bob. Because 
of its inherent use of two-way quantum communication, 
the protocol is formally quite different from the standard 
BB84 protocol, and proving its security may be quite 
difficult. 2 

The schemes we propose here are purely polarization- 
based and cope with collective noise without resorting to 
two-way quantum communication. In the first protocol, 
the quantum information is encoded in a noiseless sub- 
space, while in the second protocol, it is encoded on a 
noiseless subsystem. 3 A noiseless subspace is invariant 
under the action of the collective noise operation (here 
U® N ). Any state within it is therefore unaffected (mod- 



1 However, with today's technology, photon loss is a much more se- 
rious limitation to the distance over which QKD can be achieved. 

2 Note, however, that QKD must make use of two-way classical 
communication between Alice and Bob, and this presents no par- 
ticular barrier to security proofs. Indeed, taking full advantage 
of two-way classical communication results in a protocol with 
substantially greater tolerance for noise llll . 

3 Such encodings also obviate the need for Alice and Bob to share a 
reference frame (such as, for instance, a known relative alignment 
of their linear polarizers) , as has been pointed out in the context 
of quantum communication in Ref. |12| . 



ulo a global unphysical phase) by the noise. When such 
a subspace does not exist, it may still be possible to find 
a set of density operators which are invariant under the 
effect of noise. These density operators instead form a 
noiseless subsystem on which pure states can be encoded. 

The protocols we present use singlet states as building 
blocks. Information is encoded in the pairing of the pho- 
tons; the various ways of organizing three or more pho- 
tons into pairs provide us with different states with which 
to encode information. The photons must be distinguish- 
able if different pairings are to correspond to different 
physical states: they need to be labelled in some way. 
Physically, this means that the photons must differ with 
respect to some degree of freedom. Here, the photons are 
assumed to differ in their time of arrival; they are spa- 
tially separated in the optical fiber. Furthermore, each 
bit is encoded on multi-photon states which must also be 
distinguished even in the presence of noise. Therefore, 
the multiplets of photons must be spatially separated by 
a distance greater than the separation between individ- 
ual photons inside a multiplct. The fluctuation time r/; MC 
needs only to be large with respect to the difference in the 
arrival times of the first and last photon of a multiplet. 

It is crucial that information about the pairing resides 
only in the polarization state of the photon. For exam- 
ple, variations in the frequency of the photons can reveal 
pairing information: the frequencies of the two photons 
in each singlet must add up to the frequency of the pump, 
but the frequencies of photons in different singlets need 
not match. By measuring the energy of the photons, but 
not their polarization, Eve can learn about how they are 
paired without affecting the outcomes of Bob's measure- 
ments. This energy signature of the pairing can be elim- 
inated by filtering the photons before they leave Alice's 
lab. Indeed, if the band- width of the filter is smaller than 
the band-width of the pump laser, almost no information 
about the pairing can be recovered by Eve. Similarly, we 
must wash out the phase relation between photon pairs. 
That is, the information must only be encoded on the 
relative order of the photons, not in their absolute time 
of arrival. This can be achieved by choosing the time 
delay between the photons in each multiplct at random 
from a certain range. 

We will now present our two protocols: the first one 
encodes the quantum information on four-photon states 
while the second only requires three-photon states. We 
do not prove their security here, but rather point only 
to their similarities with a protocol proposed by Bennett 
in 1992 (B92) which is known to be secure jy). We 
hope to provide a complete security proof in a later pa- 
per. The first protocol requires the definition of three 
normalized states of a photon quartet: 

hM= 1 r~i = ^ 2 (\a)-\b)) 

KM= 1 1 1 l=^(|c>-|&» 
|^3> = 1 J"" I 1 = ^(|a) - |c» (2) 
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All these states correspond to pairs of singlet states: in 
photons one and two form a singlet state and so do 
photons three and four. The two other states correspond 
to the two other possible ways of pairing four photons as 
is illustrated by the diagrams. The states are invariant 
under uniform rotations, so in any basis, these states 
can be decomposed into the superpositions noted above, 
where 

\a) = -L(|0101> + 11010)) 
|6) = 4(|0H0) + 11001)) 
|c) = -^(|0011) + 11100)). 

It is straightforward to verify that KV'il^i)! = 1/2 for 
i =/= j. It is therefore impossible to reliably distinguish 
any pair of these states, but it is possible to make a mea- 
surement that provides some information. Measuring the 
polarization of all four photons allows Bob to distinguish 
states \a), \b), and |c). Therefore, if Alice restricts her 
transmission to one of a pair of states, Bob can tell which 
of the two states she sent 50% of the time. For example, 
suppose Alice transmits one of the pair {ipi, 4>2}- When 
Bob measures either "0101" or "1010", he can conclude 
that she sent |^i). When he gets either "1100" or "0011", 
he concludes she sent {ifa). Given any other outcome, 
Bob can not deduce with certainty which state she sent. 

Note that Bob's measurement constitutes a probabilis- 
tic error-free discrimination procedure |Tfij for any pair of 
the three states Alice might submit. That is, it is a mea- 
surement that with some probability identifies, without 
error, which of the pair was submitted, and with some 
probability yields an inconclusive outcome. 

We now present the protocol. 
Protocol 1 

1. Alice chooses a random (4 + S)n bit string X and 
a random (4 + 8)n trit string B. 

2. Alice encodes each bit {0,1} of X according to 
{-01, V^} if the corresponding trit of B is 0; {r/^j ^3} 
if B is 1; or {^3,<M if B is 2. 

3. Alice sends the (4+S)n quartets of photons to Bob. 

4. Bob receives the photons, and announces this fact. 
For each of the (4 + S)n photon quartets, he ran- 
domly chooses between the rectilinear or diago- 
nal polarization basis. He then measures each of 
the four photons of each quartet according to this 
choice of basis. 

5. Alice announces B. Given this information, and us- 
ing the procedure described above, Bob can deter- 
mine, for each quartet, whether or not his measure- 
ment was conclusive, and if conclusive, the value of 
the encoded bit. 



6. Alice and Bob discard all bits where Bob's mea- 
surement was inconclusive. With high probability, 
there are at least 2n bits left which they keep. Oth- 
erwise, they abort the protocol. 

7. Alice selects a random subset of n bits and tells 
Bob which bits were selected. 

8. Alice and Bob announce and compare the value of 
the n selected bits to estimate Eve's interference; 
if more than an acceptable number of errors are 
found, they abort the protocol. 

9. Alice and Bob perform information reconciliation 
and privacy amplification on the remaining n bits. 

In step 4, the choice of basis does not affect the mea- 
surement outcome of Bob: this is in fact the main prop- 
erty of the encoding. Nevertheless, it is crucial that Eve 
does not know in which basis the measurement is per- 
formed. If she knew, she could measure in the same basis 
as Bob, and would know everything Bob knew. Since she 
does not know, she will frequently measure in a different 
basis than Bob and therefore introduce errors that will 
reveal her presence. 

As the protocol is written, in step 6, Alice and Bob 
discard any bits for which Bob's measurement is incon- 
clusive. Nevertheless, an inconclusive result could still 
be useful. Indeed, any measurement result whose weight 
differs from 2, e.g. "1011", indicates that Eve has tam- 
pered with the communication. This provides Alice and 
Bob with some extra data to estimate Eve's interference: 
only allowed code-words should be observed by Bob. 

If steps 4 and 5 are inverted — which could only pro- 
vide Eve with more information — we get a protocol 
quite similar to B92. Alice encodes the bit in two pre- 
selected nonorthogonal states which she sends down the 
quantum channel. Bob then performs a von Neumann 
measurement chosen at random from a certain set, which 
can be cast in terms of a positive operator valued mea- 
surement (POVM): this is also required in B92. Nev- 
ertheless, there are certain differences in the nature of 
these POVMs which must be studied carefully to arrive 
at a complete security proof. We are currently work- 
ing on these issues. The B92 protocol is not secure if the 
transmission rate is below 1/2. Eve can replace the noisy 
channel by a perfect channel and measure Alice's output 
in such a way that she achieves a conclusive discrimina- 
tion with probability , in which case, she knows the state 
and can send it to Bob. In the case of an inconclusive 
result, she does not send anything. From Alice and Bob's 
point of view, this would be indistinguishable from the 
natural noise. By delaying the announcement of B, our 
proposal escapes this limitation. 

The simplicity of the measurement — single photon 
polarization — is a clear advantage of this protocol. (The 
possibility of discriminating between states that are in- 
variant under collective noise, without having recourse 
to collective measurements, has also been noted in Ref. 
18]) Furthermore, the required states have already been 
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produced by several groups 0, 0] . Two singlet states 
can be produced in a short time interval via parametric 
down-conversion by sending a femto-second pump laser 
pulse back and forth across a crystal (using a mirror). 
Since the photons are emitted in different directions, the 
EPR pairs can be clearly distinguished. Zhao et al. 0] 
have produced these pairs of singlets at a rate of 20 kHz. 
Optical delays and switches can be used to create any of 
the three states of Eq. If Bob's single-photon detec- 
tors have a jitter of roughly 300 picoseconds, the delay 
lines must have a length of order 10 centimeters. 

At first glance, it looks like there are two copies of the 
information in this encoding. For instance, if Alice an- 
nounces that the bit is encoded as {ipi,ip2}, the value of 
the first two measurement outcomes is enough to some- 
times deduce the value of the encoded bit: it is neces- 
sarily 1 if the outcomes are the same. The same holds 
for the measurement outcomes on the last two photons. 
Nevertheless, this redundancy is intrinsic to our quantum 
encoding scheme and doesn't provide Eve with any ex- 
tra information. The second protocol we present exploits 
this redundancy to reduce the size of the encoding. 

Protocol 2 is a slight modification of Protocol 1. In 
step 3, instead of sending the entire state to Bob, Al- 
ice randomly discards one photon from each quartet and 
sends the remaining three. In step 5, Alice should also 
announce which photon she has discarded. Therefore, 
the three pure states of Eq|2] are replaced by the three 
mixed states 
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where the "o" denotes the maximally mixed state. These 
states are obviously invariant under collective noise. Fur- 
thermore, any pair can be distinguished with a finite 
probability, just as with the states in Protocol 1. This 
follows from the fact that they constitute non-orthogonal 
mixed states with non-identical supports, and the fact 
that one can achieve probabilistic error-free discrimina- 
tion of such mixed states For example, suppose that 
Alice has announced that the bit is encoded as {pi,^}- 



Clearly, any measurement outcome of Bob's where pho- 
ton 1 and photon 2 come out parallel rules out the state 
p\. Here, the two outcomes "000" and "111" never occur 
in the absence of eavesdropping; they indicate that Eve 
has tampered with the communication. 

These states do not form noiseless subspaces, because 
any particular pure state in the decomposition of the 
density matrices p\, p2, or p% does not remain invari- 
ant under collective noise. Instead it is transformed into 
another state in the decomposition of the same density 
matrix. For instance, \^~) ® |0), in the decomposition of 
pi, becomes under collective bit- flip l^ - ) ® |1). The indi- 
vidual states are not noiseless, but the space spanned by 
them is; therefore they form a noiseless subsystem, and 
the density matrices are invariant under collective noise. 

This second protocol shares many similarities with 
Protocol 1. It is our hope that essentially the same 
proof will be able to show both protocols are secure. 
In practice, Alice does not have to create two photon 
pairs and discard one photon; she could simply create 
one pair and one additional photon in the maximally 
mixed state. This should greatly increase the optimal 
transmission rate since pair creation schemes have rela- 
tively low efficiency. Furthermore, Protocol 2 — based 
on trios of photons instead of quartets — should suffer 
less from photon loss and hence be realizable over greater 
distances. 

On a speculative note, perhaps the two protocols could 
be hybridized into a more robust protocol. Alice could 
always encode her information on photon quartets. Bob 
could then divide the photon multiplets into two sets de- 
pending on how many photons from the quartet actually 
made it to the destination: set 1 when all four photons 
made it and set 2 when only 3 photons were detected. 
The outputs from set 1 could then be used to complete 
Protocol 1 while those of the second set would be used as 
in Protocol 2. However, this suggestion provides Eve with 
a wide variety of attacks unavailable in our two protocols, 
and its security must therefore be studied on a different 
basis. 
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